network access for remote users: practical ipsec
DESCRIPTION
Dr John S. Graham ULCC [email protected]. Network Access for Remote Users: Practical IPSec. Summary of Installations. Remote Site Guildhall School of Music and Drama Southgate and Capel Manor Colleges Remote Users Conservatoire of Dance and Drama. Crypto Route Map. Crypto map - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/2.jpg)
Summary of Installations
• Remote Site– Guildhall School of Music and Drama– Southgate and Capel Manor Colleges
• Remote Users– Conservatoire of Dance and Drama
![Page 3: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/3.jpg)
Crypto Route Map
• Crypto map– Static or Dynamic
• IKE Policy• Additional Optional Steps
– User authentication– Peer configuration
• Integrate with overall router config
![Page 4: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/4.jpg)
IKE Policies
• Algorithms to be offered• Authentication method
– Pre-shared key– X.509 certificates– RSA encrypted nonces
• Diffie-Hellman Group
![Page 5: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/5.jpg)
GSMD Physical Installation
Remote Site Main Campus
![Page 6: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/6.jpg)
GSMD: Equipment at Remote Site
• ‘Wires Only’ ADSL Connection– One Static IP Address
• Splitter• Cisco 827H Router
– Ethernet hub (4 ports) plus ATM port
![Page 7: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/7.jpg)
Static Crypto Components
• Create Crypto Map– Define trigger (ACL)– Peer Identity (IP address or FQDN)– Define transform
• Mode (tunnel or transport)• List of algorithms that will be offered to peer
– Lifetime of SA
• Bind crypto map to external interface
![Page 8: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/8.jpg)
Authentication of Known Peers
• One-to-one mappings between:– Peer IP addresses– Shared secret (unique to each peer)
• IKE Phase I Main Mode exchanges:1. Negotiate IKE SA and exchange cookies2. Diffie-Hellman public values and
pseudo-random nonces3. Peers identify themselves and
exchange authenticating hash
![Page 9: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/9.jpg)
IKE Main Mode
Hdr, SA Proposals
Hdr, Chosen Proposal
Hdr, KE, Nonce
Hdr, KE, Nonce
Hdr, IDii, Hash_I
Hdr, IDir, Hash_R
IKE SA Established
Initiator Responder
![Page 10: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/10.jpg)
Coexistence of NAT and IPSec
• IPSec Precedes NAT– AH fails because source and/or
destination addresses have changed– Transport-mode ESP invalidates TCP
checksums– Invalidates IKE authentication exchange
• NAT Precedes IPSec– Crypto triggers do not fire when
expected
![Page 11: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/11.jpg)
Dynamic NAT vs Crypto
A1
A2
B1
B2
B3
Dialer
ACL
Ethernet
NAT
IPSec Tunnel
Crypto
![Page 12: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/12.jpg)
Southgate and Capel Manor
• Shared student records database at Southgate
• Database queries & updates over high-speed WAN with crypto.
• Back-up interface using ISDN
![Page 13: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/13.jpg)
Integrating Crypto and Routing
1. Create GRE tunnel interface
2. Routing protocol receives updates over T1 & T2
3. Bind crypto map to T1 and T2
4. Watch out for double fragmentations!
![Page 14: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/14.jpg)
Fragmentation Hell
![Page 15: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/15.jpg)
CDD and Physical Installation
![Page 16: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/16.jpg)
CDD: Logical Installation
• Remote peer IP not known– Dynamic crypto– IKE Phase 1 uses aggressive mode
• Insecure shared secret– IKE extended authentication (XAuth)
• Central control of remote peer’s config– IPSec Mode-configuration (MODECFG)
![Page 17: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/17.jpg)
Authentication of Unknown Peers
• Pre-shared secret not indexed by IP address
• IKE Phase I Aggressive Mode Exchange
• Supplementary authentication of user credentials
![Page 18: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/18.jpg)
IKE Aggressive Mode
Hdr, SA, KE, Nonce, IDii
Hdr, SA, KE, Nonce, IDir, Hash_R
Hdr, Hash_I
IKE SA Established
Initiator Responder
![Page 19: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/19.jpg)
CDD: IKE XAuth• Router PC
– ISAKMP_CFG_REQUEST
• PC Router– ISAKMP_CFG_REPLY
• Router PC– ISAKMP_CFG_SET
• PC Router– ISAKMP_CFG_ACK
![Page 20: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/20.jpg)
CDD: Mode Configuration
Remote station configured by router with:
• a private IP address and mask• a list of local prefixes that will be
tunnelled• a list of local domains and their
associated resolvers
![Page 21: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/21.jpg)
Selective Static NATip nat inside source static 10.0.0.5 212.219.240.225 route-map
selective-nat
!
access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255
!
route-map selective-nat permit 10
match ip address 100
![Page 22: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/22.jpg)
Windows Gotchas
• Domain Logons Over Tunnel– Kerberos not tunnelled
• Shared secret not supported– Registry hack
![Page 23: Network Access for Remote Users: Practical IPSec](https://reader036.vdocuments.us/reader036/viewer/2022062322/56814888550346895db59c50/html5/thumbnails/23.jpg)